Cryptographic algorithms like DES, triple DES, AES, SHA, and RSA are used to cipher data to render it secure against possible attacks. For example, cryptographic algorithms are implemented in an IC card to cipher data stored in a memory unit of the IC card.
More particularly, the cryptographic algorithm is a mathematical transformation applying a secret key to one or more data inputs to obtain one or more corresponding data outputs. Without the knowledge of such a secret key, the data output cannot be used to retrieve the data inputs.
More particularly, a cryptographic algorithm generally comprises a plurality of operations at least one of which, hereinafter also indicated as cryptographic operation, involves a secret key. The cryptographic algorithm and all the cryptographic operations are implemented in software or hardware intended to be run on a processor of the IC card.
Generally, an attack is intended to discover the secret key stored in the IC card, and consequently, to discover sensitive data stored therein. The attack generally implements an analysis of the processor during its execution for discovering implementation-specific characteristics of the cryptographic algorithm.
For example, power consumption of the processor may be associated to an execution of cryptographic operations included in the cryptographic algorithm. A cryptographic operation may be easily detectable because it generally involves intensive computational operations corresponding to high power consumption for the processor.
More particularly, the analysis of the power consumption in an IC card may provide information about the cryptographic operations, the processor clock pulses or information about the terminal that the IC card is connected since the IC card power is provided by the terminal itself.
More particularly, Differential Power Analysis (DPA) may be based on a large number of subsequent executions of the same cryptographic algorithm intended to analyze the processor power consumptions, and to make a potential association between such consumption and the secret key used by the cryptographic algorithm. For example, two similar power consumptions detected in two different executions of the same cryptographic algorithm may be related to the execution of the same or similar cryptographic operations, probably involving the same secret key.
Also, Simple Power Analysis (SPA) based on simpler attacks that do not require statistical analysis may be used to detect secret keys. Both Simple Power Analysis (SPA) and Differential Power Analysis (DPA) are applied without knowing the design of the IC card object of analysis. They are non-invasive and easily automated.
With reference to FIG. 1, a cryptographic algorithm for protecting data against possible attacks is schematically shown in a block diagram, globally indicated with numeral reference 10. More particularly, the cryptographic algorithm may comprise a sequence of cryptographic operations OP intended to cipher one or more plain texts M1, . . . , MN in corresponding enciphered texts C1, . . . , CN. As schematically shown, the sequence of cryptographic operations OP ciphers the plain texts M1, . . . , MN through a secret key ESK.
At the present, hardware and software countermeasures are known to reduce the leakage of information during possible attacks. For example, such countermeasures add noise to the power consumption measurements associated to the execution of cryptographic operations OP involved in the use of the secret key ESK.
For instance, a randomizing delay may be inserted when a cryptographic operation OP is performed in order to de-correlate subsequent executions of the cryptographic algorithm. The execution time of such an algorithm and the execution time of the corresponding cryptographic operations may be non-predictable. In this way subsequent executions of the same cryptographic algorithm requires different computational time.
These countermeasures render a signal amplitude measurement associated to the power consumption of the cryptographic operations OP useless to derive information about the secret key ESK involved in the cryptographic algorithm. These countermeasures do not completely mislead an attack based on power consumption from the detectability of the cryptographic algorithm. This is because the execution time of such a cryptographic algorithm is abnormal during subsequent executions due to the introduction of the randomizing delay.
For example, if the power consumption between two subsequent executions of the same cryptographic operation is different, an attack may detect an abnormal behavior of such executions and associate the abnormal behavior to a potential use of a secret key. In this way, the attack concentrates the analysis near the abnormal executions to recover the secret key ESK of the cryptographic algorithm and the sensible data.